breachcache

22 days ago

A little thread exposing screenshots + comms from the Gentlemen Leaks. These provide super interesting insight into the inside operations of successful RaaS groups. Everything from aspects of operators personal lives, their TTPs, and victims. All images shared are from the Rocket[.Chat leak We even discovered in March they attempted to send flowers to a UK-based victim.... On 28th Feb, they recognise they're "top 2" on https://t.co/hpPlgsz0wo + Devman has gone ;)🚓 Translation of zeta88's first message: "In short, Devman was either taken in, for health reasons, or because of a rebranding—it all disappeared. And we're top 2 on RansomLive based on statistics, but not based on profit, I think." We can see a @GangExposed tweet shared by The Gentlemen, alongside the https://t.co/hpPlgsz0wo stats

ctrlaltintel's tweet photo. A little thread exposing screenshots + comms from the Gentlemen Leaks. These provide super interesting insight into the inside operations of successful RaaS groups.

Everything from aspects of operators personal lives, their TTPs, and victims. All images shared are from the Rocket[.Chat leak

We even discovered in March they attempted to send flowers to a UK-based victim....

On 28th Feb, they recognise they're "top 2" on https://t.co/hpPlgsz0wo + Devman has gone ;)🚓

Translation of zeta88's first message:

"In short, Devman was either taken in, for health reasons, or because of a rebranding—it all disappeared.
And we're top 2 on RansomLive based on statistics, but not based on profit, I think."

We can see a @GangExposed tweet shared by The Gentlemen, alongside the https://t.co/hpPlgsz0wo stats

1

59

12

31

5K

breachcache retweeted

23 days ago

We are having a great time looking at the Gentlemen Ransomware leaks

2

71

16

39

5K

23 days ago

The threat actors IP 77.90.185[.]9 was found hosting a well known brute VPN Brute forcing tool called "VPN Brute" hosting a login portal on port 7000. 17 VPN Brute instances were found on Censys with this search: web.endpoints.http.body_hash_sha256 = "a045f3267dd84d315eb3ffaf4827860b70665269aaeeff86cb1e381c2b7f55c4"

breachcache's tweet photo. The threat actors IP 77.90.185[.]9 was found hosting a well known brute VPN Brute forcing tool called "VPN Brute" hosting a login portal on port 7000.

17 VPN Brute instances were found on Censys with this search:
web.endpoints.http.body_hash_sha256 = "a045f3267dd84d315eb3ffaf4827860b70665269aaeeff86cb1e381c2b7f55c4"

0

73

23 days ago

A recent SonicWall SSL VPN brute forcing has been observed. A total of 24,624 POST attempts to /api/sonicos/auth on port 4433 over 10 hours. Every attempt originated from this one source IP 77.90.185[.]9. All 24,624 attempts used the single password Spring2026!. The user names consistent of exactly 1000 common US surnames appended with first initial. Username format was <first-initial><surname>. Sample firewall log entry from the campaign: id=firewall sn=XXXXXXXXX time="2026-05-13 04:57:11 UTC" fw=x.x.x.x pri=4 c=32 m=745 msg="User login denied - LDAP authentication failure (User: tmiller)" src=77.90.185[.]9 dst=x.x.x.x:4433 IOC: - 77.90.185[.]9

2

1

0

110

23 days ago

When a brute force hit lands the SonicWall returns success=true with a bearer-token JWT scoped as API_AUTH_SSLVPN and the firewall logs an m=602 event. The response also exposes the SonicWall model in use. Firewall success log: id=firewall sn=XXXXXXXXX time="2026-05-13 04:57:11 UTC" fw=x.x.x.x pri=6 c=32 m=602 msg="WAN zone remote user login allowed" usr="tmiller" src=77.90.185[.]9 dst=x.x.x.x:4433 The token gives the threat actor SSL VPN access to the network which can be further established with tools like NetExtender. Successful result:

breachcache's tweet photo. When a brute force hit lands the SonicWall returns success=true with a bearer-token JWT scoped as API_AUTH_SSLVPN and the firewall logs an m=602 event. The response also exposes the SonicWall model in use.

Firewall success log:

id=firewall sn=XXXXXXXXX time="2026-05-13 04:57:11 UTC" fw=x.x.x.x pri=6 c=32 m=602 msg="WAN zone remote user login allowed" usr="tmiller" src=77.90.185[.]9 dst=x.x.x.x:4433

The token gives the threat actor SSL VPN access to the network which can be further established with tools like NetExtender.

Successful result:

0

85

about 1 month ago

@ctrlaltintel @Sh4dow3x3 Let’s gooo! Amazing work

0

1

0

132

breachcache retweeted

about 1 month ago

Over 7 a month period, a Qilin affiliate exposed 5 C2 servers -> OPSEC L -> Sliver C2 / SOCKS running on WatchGuard devices -> Initial access primarily via WG/Fortinet exploitation -> 3 real victims found via Qilin blog -> 🇺🇸 & 🇩🇪 targeting -> 7+ CVEs used Link to blog below👇

ctrlaltintel's tweet photo. Over 7 a month period, a Qilin affiliate exposed 5 C2 servers -> OPSEC L

-> Sliver C2 / SOCKS running on WatchGuard devices
-> Initial access primarily via WG/Fortinet exploitation
-> 3 real victims found via Qilin blog
-> 🇺🇸 & 🇩🇪 targeting
-> 7+ CVEs used

Link to blog below👇 https://t.co/HaHWonAjQ0

4

58

16

44

7K

about 1 month ago

Patch your SonicWalls ASAP and don’t publicly expose your management console! CVE-2026-0204 CVE-2026-0205 CVE-2026-0206 https://t.co/uty4emjQzn

0

81

breachcache retweeted

about 1 month ago

When a Qilin affiliate makes many big #oopsies over 7 months... not knowing they are silently being tracked by us🤩 Ctrl-Alt-Intel blog coming later this week🤪

1

41

6

3

2K